pekko/akka-docs/rst/scala/http/client-side/https-support.rst

.. _clientSideHTTPS:

Client-Side HTTPS Support
=========================

Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side <serverSideHTTPS>`.

.. warning:

   Akka HTTP 1.0 does not completely validate certificates when using HTTPS. Please do not treat HTTPS connections
   made with this version as secure. Requests are vulnerable to a Man-In-The-Middle attack via certificate substitution.

The central vehicle for configuring encryption is the ``HttpsConnectionContext``, which can be created using
the static method ``ConnectionContext.https`` which is defined like this:

.. includecode:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/ConnectionContext.scala
   :include: https-context-creation

In addition to the ``outgoingConnection``, ``newHostConnectionPool`` and ``cachedHostConnectionPool`` methods the
`akka.http.scaladsl.Http`_ extension also defines ``outgoingConnectionTls``, ``newHostConnectionPoolTls`` and
``cachedHostConnectionPoolTls``. These methods work identically to their counterparts without the ``-Tls`` suffix,
with the exception that all connections will always be encrypted.

The ``singleRequest`` and ``superPool`` methods determine the encryption state via the scheme of the incoming request,
i.e. requests to an "https" URI will be encrypted, while requests to an "http" URI won't.

The encryption configuration for all HTTPS connections, i.e. the ``HttpsContext`` is determined according to the
following logic:

1. If the optional ``httpsContext`` method parameter is defined it contains the configuration to be used (and thus
   takes precedence over any potentially set default client-side ``HttpsContext``).

2. If the optional ``httpsContext`` method parameter is undefined (which is the default) the default client-side
   ``HttpsContext`` is used, which can be set via the ``setDefaultClientHttpsContext`` on the ``Http`` extension.

3. If no default client-side ``HttpsContext`` has been set via the ``setDefaultClientHttpsContext`` on the ``Http``
   extension the default system configuration is used.

Usually the process is, if the default system TLS configuration is not good enough for your application's needs,
that you configure a custom ``HttpsContext`` instance and set it via ``Http().setDefaultClientHttpsContext``.
Afterwards you simply use ``outgoingConnectionTls``, ``newHostConnectionPoolTls``, ``cachedHostConnectionPoolTls``,
``superPool`` or ``singleRequest`` without a specific ``httpsContext`` argument, which causes encrypted connections
to rely on the configured default client-side ``HttpsContext``.

If no custom ``HttpsContext`` is defined the default context uses Java's default TLS settings. Customizing the
``HttpsContext`` can make the Https client less secure. Understand what you are doing!

Hostname verification
---------------------

Hostname verification proves that the Akka HTTP client is actually communicating with the server it intended to
communicate with. Without this check a man-in-the-middle attack is possible. In the attack scenario, an alternative
certificate would be presented which was issued for another host name. Checking the host name in the certificate
against the host name the connection was opened against is therefore vital.

The default ``HttpsContext`` enables hostname verification. Akka HTTP relies on the `Typesafe SSL-Config`_ library
to implement this and security options for SSL/TLS. Hostname verification is provided by the JDK
and used by Akka HTTP since Java 7, and on Java 6 the verification is implemented by ssl-config manually.

.. note::
  We highly recommend updating your Java runtime to the latest available release,
  preferably JDK 8, as it includes this and many more security features related to TLS.

.. _Typesafe SSL-Config: https://github.com/typesafehub/ssl-config
.. _akka.http.scaladsl.Http: @github@/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			`.. _clientSideHTTPS:`

=doc Significantly extend HTTP documentation with new content and ports from spray docs 2015-05-11 23:05:18 +02:00			`Client-Side HTTPS Support`
			`=========================`

=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side <serverSideHTTPS>`.

add insecure HTTPS client warning for Scala 2015-11-24 10:22:56 +01:00			`.. warning:`

			`Akka HTTP 1.0 does not completely validate certificates when using HTTPS. Please do not treat HTTPS connections`
			`made with this version as secure. Requests are vulnerable to a Man-In-The-Middle attack via certificate substitution.`

wip #19441 convert from Option to Optional in javadsl 2016-01-22 17:01:22 +02:00			The central vehicle for configuring encryption is the ``HttpsConnectionContext``, which can be created using
			the static method ``ConnectionContext.https`` which is defined like this:
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00
wip #19441 convert from Option to Optional in javadsl 2016-01-22 17:01:22 +02:00			`.. includecode:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/ConnectionContext.scala`
			`:include: https-context-creation`
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00
			In addition to the ``outgoingConnection``, ``newHostConnectionPool`` and ``cachedHostConnectionPool`` methods the
			`akka.http.scaladsl.Http`_ extension also defines ``outgoingConnectionTls``, ``newHostConnectionPoolTls`` and
			``cachedHostConnectionPoolTls``. These methods work identically to their counterparts without the ``-Tls`` suffix,
			`with the exception that all connections will always be encrypted.`

			The ``singleRequest`` and ``superPool`` methods determine the encryption state via the scheme of the incoming request,
			`i.e. requests to an "https" URI will be encrypted, while requests to an "http" URI won't.`

			The encryption configuration for all HTTPS connections, i.e. the ``HttpsContext`` is determined according to the
			`following logic:`

+doc #18012 port client-side https documentation to the java-side 2015-07-20 11:14:25 +02:00			1. If the optional ``httpsContext`` method parameter is defined it contains the configuration to be used (and thus
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			takes precedence over any potentially set default client-side ``HttpsContext``).

+doc #18012 port client-side https documentation to the java-side 2015-07-20 11:14:25 +02:00			2. If the optional ``httpsContext`` method parameter is undefined (which is the default) the default client-side
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			``HttpsContext`` is used, which can be set via the ``setDefaultClientHttpsContext`` on the ``Http`` extension.

			3. If no default client-side ``HttpsContext`` has been set via the ``setDefaultClientHttpsContext`` on the ``Http``
			`extension the default system configuration is used.`

			`Usually the process is, if the default system TLS configuration is not good enough for your application's needs,`
			that you configure a custom ``HttpsContext`` instance and set it via ``Http().setDefaultClientHttpsContext``.
			Afterwards you simply use ``outgoingConnectionTls``, ``newHostConnectionPoolTls``, ``cachedHostConnectionPoolTls``,
+doc #18012 port client-side https documentation to the java-side 2015-07-20 11:14:25 +02:00			``superPool`` or ``singleRequest`` without a specific ``httpsContext`` argument, which causes encrypted connections
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			to rely on the configured default client-side ``HttpsContext``.

!htc #15687 enable https hostname verification on Java 7+ 2015-07-23 15:11:32 +02:00			If no custom ``HttpsContext`` is defined the default context uses Java's default TLS settings. Customizing the
			``HttpsContext`` can make the Https client less secure. Understand what you are doing!

=doc explain hostname verification, recommend upgrading 2015-12-21 13:39:15 +01:00			`Hostname verification`
			`---------------------`
!htc #15687 enable https hostname verification on Java 7+ 2015-07-23 15:11:32 +02:00
			`Hostname verification proves that the Akka HTTP client is actually communicating with the server it intended to`
			`communicate with. Without this check a man-in-the-middle attack is possible. In the attack scenario, an alternative`
			`certificate would be presented which was issued for another host name. Checking the host name in the certificate`
			`against the host name the connection was opened against is therefore vital.`

=doc explain hostname verification, recommend upgrading 2015-12-21 13:39:15 +01:00			The default ``HttpsContext`` enables hostname verification. Akka HTTP relies on the `Typesafe SSL-Config`_ library
			`to implement this and security options for SSL/TLS. Hostname verification is provided by the JDK`
			`and used by Akka HTTP since Java 7, and on Java 6 the verification is implemented by ssl-config manually.`
!htc #15687 enable https hostname verification on Java 7+ 2015-07-23 15:11:32 +02:00
=doc explain hostname verification, recommend upgrading 2015-12-21 13:39:15 +01:00			`.. note::`
			`We highly recommend updating your Java runtime to the latest available release,`
			`preferably JDK 8, as it includes this and many more security features related to TLS.`
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00
=doc explain hostname verification, recommend upgrading 2015-12-21 13:39:15 +01:00			`.. _Typesafe SSL-Config: https://github.com/typesafehub/ssl-config`
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			`.. _akka.http.scaladsl.Http: @github@/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala`